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Abstract 

We examine the security of existing radio 
navigation protocols and attempt to define 
secure, scalable replacements. 

1 Motivation 

Resourceful and well-funded groups are clearly in- 
terested in using aircraft as projectile weapons. In- 
creased airport and cockpit security can significantly 
increase the difficulty of bombings and hijackings, but 
some attacks can be executed without ever touching 
their targets: It is possible to lead an aircraft astray 
by transmitting noise or false information to its com- 
munication and navigation systems, potentially driv- 
ing it into terrain or other aircraft. 

The radio services currently used in civil aviation 
were simply not designed with malicious parties in 
mind. Regulatory agencies and the aviation industry 
are working together now to develop digital radio pro- 
tocols for civil aviation, and they haven't done any 
real work toward security. If the new generation of 
avionics were widely deployed without cryptographic 
protection, disaster could result, and the costs of 
another industry-wide equipment upgrade would be 
staggering. 

We do not suggest that exploitation of naviga- 
tion vulnerabilities is inevitable or easy. Aircraft are 
flown by intelligent beings; radio systems are just one 
element in pilots' and controllers' decision-making 
processes. There is enough redundancy in the cur- 
rent navigation system that an effective navigation 
exploit should require multiple simultaneous trans- 
mitters. Professional pilots of functional aircraft do 
not unintentionally hit things that they can see out 
the window - these problems are specific to fiight 
in instrument meteorological conditions (clouds, fog, 
precipitation, and smoke). Still, an attack or threat 
against airborne radio services would have economic 
consequences regardless of whether it caused actual 
physical damage. Commercial aviation only works 



when customers, employees, and investors all feel 
safe. Most airline revenue comes from the large, com- 
plex terminal areas that are most dependent on com- 
munication and navigation; operations would need 
to be scaled back in the absence of trustworthy radio 
protocols. 

The need for navigation security is not exclusive 
to aviation. We emphasize examples from that in- 
dustry because aircraft in flight have enough kinetic 
and potential energy to cause massive destruction. 
Surface navigation shares the same essential threats. 
Also, as explained further below, navigation is largely 
equivalent to precise time transfer. Time and fre- 
quency synchronization over radio is common in com- 
munication and surveillance networks, and it is easy 
to envision time-dependent industrial processes that 
would go catastrophically wrong if their time scales 
were distorted or their components were desynchro- 
nized. 

Improving navigation systems' resilience would 
have at least one fortuitous positive effect: easing 
deployment of ultra-wideband waveforms. Concerns 
about interference with safety-of-life navigation radio 
are currently a hindrance to ultra-wideband technol- 
ogy's broad adoption. 



2 Threat environment 

2.1 Active over-the-air threats 

Interference is the accidental masking of signals by 
other signals or by natural radio emissions. Re- 
sponding to interference is relatively straight- 
forward and well-studied: multi-transmitter 
services require protocols for arbitrating mul- 
tiple access; continuous noise can be countered 
by directional antennae, spread-spectrum tech- 
niques, and increased transmitter power; inter- 
mittent noise necessitates error-correction cod- 
ing or otherwise redundant bitstreams. 
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Jamming is the intentional masking of a signal 
by another transmission, degrading or denying 
some radio channel. Anti-jam techniques are 
mostly the same as methods to abate interfer- 
ence, with two additional requirements. First, 
predicting spread-spectrum variables must be 
computationally infeasible even given knowl- 
edge of all of the transmissions to date or jam- 
mers will be able to generate the same sequence 
and transmit exactly over the content of the 
signal. Second, a jammer must not be able 
to detect the current hop frequency quickly 
enough to retune to it and transmit before the 
information-bearing part of the hop's waveform 
has been entirely sent.^ 

Intrusion is the intentional transmission of false in- 
formation into a communication or position- 
ing network to deceive or computationally over- 
whelm targets. (Spoofing means roughly the 
same thing in the context of navigation; it has 
different connotations in computer networking.) 
Cryptographic authentication can, by defini- 
tion, prevent access-granting^ intrusion on dig- 
ital radio networks. 

Meaconing is the reception and rebroadcast of le- 
gitimate navigation/time signals."^ Spatially 
redirecting or precisely delaying signals in a 
navigation system can lead a victim receiver 
to an incorrect indication of position. Since 
meaconing doesn't require attackers to predict 
signal content, it can't be prevented by merely 
authenticating the navigation bitstream. Re- 
sponses to meaconing are the central open prob- 
lem addressed here. 

2.1.1 Security relationships 

There are relationships between notions of security 
against these attacks: 

• Any protocol that resists jamming is also ro- 
bust against interference from benign external 
sources, because transmitting any signal inde- 
pendent of the target waveform is a subset of 
assumed jammer capabilities. 

^ "Follow-on jamming" . 

■^As opposed to denial-of-scrvicc. 

^ "Meaconing" is sometimes used more broadly to mean any sor 
is more useful in our context. 

^Navigational aids: devices that transmit or reflect a signal to 



• Analogously, an authentication algorithm that 
prevents intentional intrusion from constitut- 
ing valid messages also reduces interference and 
jamming to denial-of-service threats. 

• A system that perfectly resists jamming is also 

immiine to intrusion and meaconing: anti-jam 
security means that a jammer can't transmit 
anything to the system's receivers, let alone cho- 
sen messages. However, secure communication 
in the real world still requires authentication, 
because jamming resistance is conditioned on 
signal-to-jamming ratio and there is a margin in 
which a pseudorandom subset of received sym- 
bols will be attacker-derived. 

1.1.2 Potential source sites for malicious ra- 
dio transmissions 

• On target aircraft 

Ground-based and satellite navaids^ are hun- 
dreds to millions of meters away from aircraft 
radio receivers; passengers and cargo are just 
a few meters away. Thus, transmitters inside 
their target aircraft only need thousandths to 
trillionths of the output power of legitimate 
navaids to overwhelm them. Aircraft bodies 
and contents provide some shielding from in- 
ternal signal sources, but not enough. 

Some intrusion and meaconing attacks neces- 
sitate precise knowledge of their targets' loca- 
tions. With transmitters located on the target 
itself, that becomes vastly easier. 

There is no way for typical airport security 

screeners to distinguish between, for instance, 
an ordinary laptop and one containing a con- 
cealed jammer/spoofer. Portable transmitters 
can overpower most non-secure airborne radio 
systems in the host plane (and probably others 
nearby) for as long as a power source is avail- 
able. 

• On other aircraft 

Airborne jammers have some advantages for 
the attacker over ground-based transmitters: 

; of intrusion into navigation channels, but a narrow definition 
indicate a client's position. 
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increased exposure of low- altitude targets, in- 
creased distance to horizon, and decreased sus- 
ceptibility to directional antenna nulling. 

Powered craft controlled by malicious parties 

are easy to locate; in rural areas they arc also 
easy to destroy, but targeting one in an ur- 
ban environment carries a high risk of civil- 
ian casualties. The airborne threat is not 
limited to engine-powered vehicles: GPS jam- 
ming devices with considerable range that fly 
on small helium balloons and toy gliders have 
been demonstrated. [1] Weather balloons and 
balloon-launched gliders can rise well above 
the ceilings of most fighter aircraft. Although 
above-cloud altitudes leave them visually de- 
tectable, they have such a low thermal signa- 
ture and radar cross-section (unless specifically 
designed to be radar-reflective) that they're 
effectively invisible to most seeking technolo- 
gies. The best available conventional response 
is anti-radiation missiles (ARMs), which are ex- 
pensive and limited in availability. Any security 
force considering an ARM needs to be very sure 
that the radiating target is not a passenger air- 
craft. ARMs are not even likely to be effec- 
tive when wind velocity is relatively high if the 
attacker uses a constellation of balloon-based 
jammers that are each only active a fraction of 
the time. 

• On the ground 

Ground- and sea-based transmitters have by far 
the most power available to them — even a mo- 
bile station can output thousands of watts of 
signal and they htq capable of disabling all un- 
secured airborne radio for everything above the 
horizon. 

2.2 Passive over-the-air threats 

The passive threats of concern in military trans- 
mission security^ — detection, location, identifica- 
tion, and interception — are of much less impor- 
tance in civil aviation. Civilian flights operate mostly 
on schedule between known airports, carrying un- 
trusted passengers and cargo, with no infrared or 
radar countermeasures and little ability to maneu- 
ver to avoid projectiles. One of our major goals in 
preventing midair colHsions is to ensure that aircraft 

^Methods for preventing an adversciry from reading from or 
spread-spectrum techniques. 



know where all other (untrustcd) nearby airc;raft are, 
which obviously negates stealth. Still, we will cur- 
sorily examine observability and try to minimize it 
when possible. 

2.3 Physical threats 

In addition to the threats posed by independently 
sited malicious transceivers, aviation radio facilities 
(particularly unstaffed remote navaids) are vulnera- 
ble to access-granting physical attacks that subvert 
cryptologic security: 

• Navaid movement. Whether communication 

channels from a navaid are secure is irrelevant 
if the navaid can be picked up and relocated. 

• Directional antenna alteration. Likewise, 
navaids that indicate a client's current azimuth 
or elevation angle can be rotated, be reconfig- 
ured, or have their direction sensors changed. 

• Navaid antenna remoting. If the transmit- 
ter itself is secured or just difficult to move, 
its transmit or receive antennae could be con- 
nected to a long cable and relocated. This isn't 
a likely risk for high-power transmitters or com- 
plex directional antenna arrays, but it is cer- 
tainly a concern for time-of-flight-based navaids 
and landing path indicators. 

• Output meaconing via antenna connec- 
tion. Dropping a delay device directly between 

the navaid processor and its antenna obviates 
the need to overpower or jam the navaid's orig- 
inal transmission. 

• Input meaconing via antenna connection. 

Navaids that get information about their posi- 
tions and/or the time via other navaids could be 
subject to meaconing by devices connected to 
their antenna inputs; that would be vastly eas- 
ier than over-the-air meaconing against moving 
targets. 

• Deceptive parameter modification. If the 

operator interface of a navaid is insufficiently 
secure, an intruder could change navigation- 
critical parameters. In timestamped protocols, 
if the navaid's clock is subject to tampering, 
much of the protection of cryptographically- 
secured navigation protocols is negated. 

ting to a communication channel; this primarily refers to 
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• Cryptographic equipment theft. The 

entire navaid doesn't necessarily need to 
be moved — if cryptographic modules can be 
covertly stolen and connected to a different 
transmitter without zeroizing them, the navaid 
is compromised. 

• Key compromise. Navaid keys can be leaked 
locally through probing, compromising emana- 
tions, fault injection, power/timing/heat anal- 
ysis, and so on. 

3 Methods of radionavigation 

A radio signal can be completely characterized by 
amplitude as a function of position, direction, polar- 
ization, and time. For conventional (sinusoidal, non- 
UWB) transmission systems, it is useful to further 
decompose time variation into carrier frequency, car- 
rier phase, and modulated content. We can then cat- 
egorize navigation schemes according to which values 
are measured by the receiver. 

Each of these measurements establishes that the 
receiver's position is near some geometrical object: a 
circle if we're measuring distance, a hyperbola for dis- 
tance differences, a ray or a set of rays for direction. 
Actual 3D position is given by the intersection of sev- 
eral similar or different position objects, or sometimes 
the intersection of position loci with physical objects 
like the earth's surface. 

3.0.1 Design limitations 

If every client had a continuous channel with every 
navaid, protected by effective transmission security, 
we could assume that it was not subject to external 
manipulation; navigation using such channels would 
be secure. This security model is appropriate for and 
currently used by military organizations. However, in 
a true public service, the combination of thousands of 
potential users and the large bandwidths consumed 
by spread-spectrum links would necessitate massively 
parallel navaid transceivers and huge swaths of spec- 
trum. We need to examine what can be done to as- 
sure secure navigation without full transmission se- 
curity. 

Cost limitations preclude building navigation pro- 
tocols for which clients require complex directional 
antenna clusters (phased arrays, etc.). Although that 



may change as adaptive antenna technology begins to 
penetrate the consumer market, we will assume sim- 
ple (omnidirectional or fixed unidirectional) antenna 
designs for client nodes.^ 

3.0.2 Cryptographic requirements 

The security protocols that follow presume the ex- 
istence of a few non-malleable^ cryptographic primi- 
tives applicable to messages of arbitrary length: 

• a hash function H 

• an integrity-preserving symmetric encryption 
transform family ek, dk 



I public-key 



signature transform family 

Priv Pub 



an integrity-preserving public-key encryption 
transform family Epub , Dpriv , M : Priv Pub 



Some sort of certification and revocation architec- 
ture is also necessary to bind navaid identifications 
to public keys, and to let protocol participants de- 
termine what degree of confidence in each binding 
is appropriate. Any good implementation will pro- 
vide a flexible language for users and administrators 
to assign trust in keys, algorithms, equipment certi- 
fications, and so on. We discuss specific certificate 
contents in section 6, below. 

For clarity, we describe some protocols that don't 
provide anonymity or secrecy. All of them are readily 
adaptable by adding an outer layer of encryption or 
transmission security. 

Passive-client systems 

3.1 Ceirrier amplitude 

Description 

In this simplest navigation scheme, navaids trans- 
mit a continuous signal. The received signal strength 
determines distance to the transmitter. 

Examples 

Primitive homing receivers 
Security 

Unsecurable. Simply transmitting an unmodu- 
lated carrier or a noise signal will change the per- 
ceived distance to the navaid, even if the authorized 



^Building ground transponders for pre-existing airborne traiBc and weather radar antennae might be worth considering, 
though. 

^Detailed analysis of security requirements on these algorithms is beyond our scope. 
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signal is cryptographically aTitlicnticablc. In fact, this 
method is so sensitive to equipment vagaries and en- 
vironmental propagation conditions that it's not very 
useful at all. With frequency hopping, the best pos- 
sible output recovered relative to a jamming environ- 
ment would be a distance that jumps around the ap- 
proximate range to the legitimate source as the chan- 
nel frequency hits other transmitters. 

3.2 Carrier amplitude anisotropy 

Description 

Navaids transmit a simple continuous signal. Re- 
ceivers use directional antennae to determine the 
headings to transmitters. 

Examples 

NDBs/ADF; S&R and SIGINT DF receivers 
Security 

Unsccurablc in the navaid context. Cost- 
effective implementations of this technique use sim- 
ple loop/sense antenna pairs that can't distinguish 
between multiple emitters. Broadcasting an unmod- 
ulated carrier or noise on the beacon frequency will 
deflect direction measurements made on such an an- 
tenna pair. [2] Frequency hopping would also be un- 
likely to help here. 

3.3 Carrier frequency 

Description 

Navaids transmit at a precise known frequency. 
By measuring actual received frequencies, the client 
obtains the Dopplcr shift of each signal and, there- 
fore, the client's velocity relative to each navaid, 
which determines its position. For this to work, ei- 
ther the client or the navaid needs to be moving, and 
one or the other must have a predictable position or 
path. 

Examples 

NNSS/Parus, SARSAT/COSPAS, Argos; S&R 
and SIGINT DF receivers 
Security 

Unseciirable. Frequency measurements arc quite 
sensitive to narrow-band jamming and intrusion, and 
again could be altered by transmitting unmodulated 
signals. Frequency hopping seems unlikely to be 
compatible with precise frequency measurement of 
a transmitter not otherwise synchronized with the 
client, due to oscillator construction limitations. 



3.4 Modulated signal content 

Description 

Navaids transmit anisotropic signals; the content 
of the received message determines the client's az- 
imuth or elevation angle from the navaid. 

Antenna direction can be fixed (as in an indica- 
tor that an aircraft is above or below the desired glide 
path for landing) or varying (as in some general meth- 
ods for determining azimuth from a navaid) . If vary- 
ing, the directionality can be created by one antenna 
physically moving in a circle, or an antenna array 
electronically scanned (circularly or randomly). 

Examples 

VOR/Localizer, TACAN azimuth guidance, ILS 
glide-slope indicator, ILS marker beacons 
Security 

Somewhat securable. The most serious threats 
to this method are navaid movement, antenna alter- 
ation, antenna remoting, and meaconing. Clearly this 
implies navaids with strong physical security - no un- 
staffed terrestrial implementation of it can ever be 
secure. 

Signal-content-based navigation is eminently 
compatible with all types of transmission security, 
which would make over-the-air attacks difficult. 

The following protocol prevents most easy attacks 
against systems that can't use transmission security, 
and adds a degree of resilience to those that can: 



3.4.1 Protocol 1: Passive signal-content nav- 
igation 



Navaid sends: 


P 


Navaid position 


d 


Navaid antenna direction 


t 


Timestamp 


i 


Navaid identifier^ 


Skip, d,t,i) 


Signature of navigation data 



Because a valid signature is not predictable in 
a reasonable computation time without knowing the 
navaid's private key k, reception of a correct message 
by the client guarantees three things: 



• At or after the time t, a communication chan- 
nel existed from the indicated navaid's antenna 
(which the navaid believed to be pointed in the 
indicated direction at that time) to the client. 

• The current time is at or after t plus the sig- 
nal's travel time to the aircraft. So given a 
time source accurate to the duration of the time 
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step between clireetion incssages (a few millisec- 
onds), a client can exclude older replayed direc- 
tion packets.^ 

• Therefore, a successful meaconer must be able 
to receive transmissions in realtime from the di- 
rection that it wants to tell victims is correct. 

Meaconing could be done via high-gain antennae 
that receive sidelobe signals, but that has a partial 
defense: the navaid can transmit a jamming signal 
from an omnidirectional antenna co-sited with its di- 
rectional one. This masking jammer must be signifi- 
cantly stronger at any position available to untrusted 
equipment than the directional antenna's strongest 
sidelobe and any information-bearing spurious prod- 
uct or other unintentional emanation of the naviga- 
tion transmitter. It also must have the same polar- 
ization. If site features permit, antennae should be 
masked to prevent any non-airborne adversary from 
receiving the directional signal at all. If possible, 
aircraft using a runway-mounted navaid for landing 
guidance should use forward-pointing directional an- 
tennae to exclude off-axis attackers. 

With these safeguards in place, a node in receipt 
of a navigation message knows that it was either re- 
ceived directly from the navaid or redirected by a re- 
ceiver that is airborne and in the antenna's direction 
right now (though the meaconing transmitter might 
not be). Particularly, it should be quite difficult to 
maliciously tell users of an instrument landing scheme 
that they're on the correct heading and glide slope to 
land - an attacker who can insert physical objects 
into or on an extension of the landing path would be 
better off just going after the aircraft directly. As for 
general azimuth-indicating navaids like VOR, there's 
little we can do to prevent their signals from being 
redirected; the passive signal-content technique has 
limited security unless transmission security is used. 

3.5 Modulated signal timing 

Description 

Navaids either individually transmit a signal indi- 
cating the precise current time or cooperate to trans- 
mit a simple signal in a precisely-timed sequence. 
Clients, measuring message arrival times, determine 
position to be either on a sphere based on absolute 
time of flight or on a hyperboloid based on difference 
in time of flight. Time-of-flight-based navigation does 

^Note that the timeliness guarantee places an upper bound 
some cryptanalytic and signal-detection techniques are infeasib 



not require either navaids or clients to use directional 
antennae, so it is suitable for mobile peer-to-peer use. 
Examples 

GPS, LORAN-C, OMEGA/ALPHA; Link-16/ 
TADIL-J/MIDS/JTIDS, EPLRS/SADL 
Security 

Securable. The level of assurance is dependent on 
the number of navaids receivable at the client posi- 
tion. 

For small, mutually-trusting node groups, trans- 
mission security is readily added to this navigation 
scheme - some existing protocols already use fre- 
quency hopping, time hopping, and direct-sequence 
spread spectrum together with signal-timing-based 
navigation. 



3.5.1 Protocol 2: Passive time-of-flight navi- 
gation (post-authenticated) 



Navaid sends: 


P 


Navaid position 


d 


Navaid antenna direction 


t 


Timestamp 


i 


Navaid identifier 


Skip, d-,t,i) 


Signature of navigation data 



(Note that navaid transmissions in this protocol 
are identical to Protocol 1. We examine combining 
them in a later section.) 

The difference between t and the client's clock 
value when the client received t is the sum of clock 
error, propagation time, and meaconing delay. A 
client without a priori knowledge of two of these val- 
ues can't determine the other one, so ranging or time 
synchronization based on a single navaid is inherently 
insecure. However, each received t establishes a lower 
bound for the actual current time, and messages from 
different navaids arrive with little enough time be- 
twecin them that the client can accurately measure 
the elapsed time. If any pair of messages is received 
with timestamps that indicate the difference between 
the two is farther than the maximum difference in sig- 
nal travel time, at least one navaid is being meaconed. 
Hence, receiving a single non- meaconed navaid signal 
sets an upper bound for undetected meaconing delay; 
unfortunately, that bound represents a distance error 
on the order of the distance between navaids, so we 
need to add additional security checks. 

Consider a client navigating by multilateration us- 
ing Protocol 2 alone. Receiving three navaids speci- 

on the computational workfactor available to the meaconer, so 
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fies a 3D position; receiving fonr corrects for client 
clock inaccuracy. If we add a fifth, we can solve 
for another variable: the delay time of a single mea- 
coned navaid. Furthermore, the client can model the 
measured geometry of the navaids in view and com- 
pare it to the position relationships established by the 
navaids' signed positions; meaconing will make them 
inconsistent. 

Without an independent and highly accurate 
clock on the client, it is fundamentally impossible to 
detect using passive techniques alone whether all of 
the navaid signals arriving at the client's position are 
being simultaneously delayed. It would be technically 
challenging to remotely specify an arbitrary position 
to a moving platform, but two replay attacks are easy: 

• placing a simple meaconing device (wideband 
analog-digital converter, digital delay line, 
wideband digital-analog converter) on the tar- 
get platform so that, for instance, it thinks it's 
at the position in the landing approach that it 
was a few seconds ago. 

• using a bent-pipe transponder to retransmit the 
signals received by one client so that others 
think they have its position. (Note that this 
is only likely to be persuasive if both clients are 
airborne or both are groimd-based.) 

These attacks are sufhciently damning in the context 
of commercial air navigation that passive navigation 
schemes without transmission security such as GPS 
should be absolutely ruled out as sole means of navi- 
gation for precision approach in zero- visibility condi- 
tions. 

A differential overlay without transmission secu- 
rity on a passive system adds little or no security, 
because it's equally susceptible to simple meaconing. 
However, if the differential signal is LPI-secure (as in 
some of the proposed military differential GPS solu- 
tions), eliminating some meaconing scenarios is pos- 
sible. The security of a combination of mostly un- 
trusted signals with one or two trusted differential 
signals is an interesting question for further study. 

3.5.2 Protocol 3: Passive time-of-flight navi- 
gation (pre-authenticated) 

For vehicles that are so fast and agile that a public- 
key signature verification delay is unacceptable, it's 
possible to authenticate timestamps ahead of time: 

The navaid generates a random value r and 
chooses times {ti,t2) when it will transmit the fol- 



lowing packets. (We assume that the navaid has pre- 
viously asserted its identity and position.) 



Navaid sends: (Packet 1) (Sent at time ti) 


H{r,t2) 

ti 

Sk{H{rM)M) 


Hash of r and t2 
Timestamp of this packet 
Signature of hash and t\ 



The client verifies the signature, stores H{R,t2), 
and waits to receive a packet that hashes to that hash. 



Navaid sends: (Packet 2) (Sent at time ^2) 



r 

t2 



Random string r 
Timestamp of this packet 



The inversion resistance of H guarantees that the 
node that sent packet 1 knew r and 1,2] the navaid's 
signature on H{r,t2) asserts that the navaid gener- 
ated r and ^2; the unpredictability and novelty of r 
ensure that no node could have known r before the 
navaid sent it. 

Active-client systems 

3.6 Carrier frequency shift 

Description 

A client transmits a signal on a precisely-known 
frequency; navaids receive it and respond exactly 
at the Doppler-shifted frequency they receive, or 
at some other precisely-related frequency; the client 
measures the exact received frequency. Substitut- 
ing the transmitted and received frequencies into the 
Doppler equation gives the client's velocity relative 
to each navaid; that, in turn, can be used to find 
the client's position. As in the related client-passive 
scheme, one or both of the protocol participants must 
be moving, and one or both must have a predictable 
position or path. "Navaids" here can be passive — the 
most common application of this technique to naviga- 
tion uses the ground itself as a reflector to determine 
an aircraft's groundspeed for dead reckoning. 

Examples 

Doppler navigation radar; target velocity detec- 
tion on other radars 
Security 

If the interrogation signal is genuinely random, or 

cryptographieally pseudorandom and not repeated, 
an attacker can't simply transmit a false return sig- 
nal. This method is therefore quite secure from mea- 
coning when the ground is used as a reference and 
the ranging beams are narrow an attacker would 
need to follow the aircraft precisely to supply more 
than a few seconds' worth of incorrect velocities. It 
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is significantly less secure if applied to groiind-based 
navaids, where the same attacks that work on the 
passive version apply. It might be securable through 
spread-spectrum modulation, but that would impose 
strict requirements on oscillator, mixer, and amplifier 
design. 

3.7 Modulated signal response time 

Description 

A client transmits a signal pattern; navaids return 
a signal pattern as soon as possible. Subtracting pro- 
cessing delay and multiplying by the wave speed gives 
the distance between the two transmitters. Navaids 
for this method can also be passive - for instance, 
marine radar reflectors and the ground features used 
by terrain-matching radar. 

ExEimples 

DME, various types of radar 
Security 

Very securable. Both interrogation and response 
messages can be authenticated, thus making meacon- 
ing the only significant vulnerability; the meaconing 
threat is covered in detail below. As this method 
is not client-passive, it needs transmission security 
if low observability is an objective. Frequency hop- 
ping and direct-sequence spreading are among the 
transmission-security methods in use in radar equip- 
ment now. 

In interactive protocols, the signature and veri- 
fication delay mentioned in Protocol 3 above is at 
least doubled, so decoupling the key exchange from 
the timing-critical segment is actually crucial. 

3.7.1 Protocol 4: Active time-of-flight navi- 
gation (pre-authenticated) 

We're designing a public service, so we need to use 
asymmetric cryptography. Time-based navigation 
protocols need to happen literally at the speed of 
light, but asymmetric algorithms are decidedly less 
quick, especially considering that to avoid timing at- 
tacks on private keys we need to fix the time for each 
operation at its worst-case value. Since we can sub- 
tract fixed protocol- induced delays from the message 
timing used to measure distance, delay error is a mat- 
ter of how far the platforms can move during the de- 
lay rather than how far signals can travel. 



Assume two nodes with no prior knowledge of 
their relative position and velocity are moving to- 
gether at 10^ meters per second. We want no more 
than 1 meter of positioning error, so 1 millisecond 
is the maximum message verification time. Running 
two verifications and a signature for a reasonably- 
secure digital signature algorithm takes several mil- 
liseconds on modern general-purpose microproces- 
sors. 

Howevcir. microsecond- level timing is only crucial 
within the actual message exchange. It's entirely suf- 
ficient for participants to know not where they are 
right now, but where they were a few milliseconds 
ago. We can decouple the long-term secure digital 
signature from the timed message via the following 
protocol: 

The protocol participants agree on a key and sym- 
metric encryption algorithm, and authenticate each 
other. Each participant generates a random bit se- 
quence. The rest of the messages in this protocol 
are encrypted with the agreed-upon symmetric algo- 
rithm.-^^ 



Client sends: (Interrogation) 



Client's random string 
Tim(>st aiuj) 



The navaid decrypts each incoming packet with 
each of the key /cipher pairs that are valid in its area. 
Any message that some valid key doesn't decrypt to 
a valid interrogation or reply is dropped. If the time- 
stamp is current and the navaid hasn't received that 
Vc before, it immediately responds: 



Navaid sends: (Response) 



Client's random string 
Navaid's random string 



The client measures the precise time from the be- 
ginning of its transmission to the end of the navaid's 
response. For each valid decryption, it subtracts pro- 
cessing delay to get the round-trip signal time of flight 
and, therefore, the distance to the navaid. 

The navaid's retransmission of the client's newly- 
generated, unpredictable Tc demonstrates that the 
navaid received the client's transmission before the 
client received the navaid's response. Thus, no mea- 
coner can claim that the difference between the client 
and navaid is less than it actually is. All-station mea- 
coning will not work against this protocol as long as 

but we assume that faster vehicles can 



^"This is at least an order of magnitude slower than the fastest airborne objects 
accept proportionally higher position uncertainty. 

^^If all of the messages in the protocol are quite short, a block cipher in ECB mode is sufficient; otherwise, they'll need to 
use a robust symmetric encryption mode. 
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one navaid above the number necessary to fix 3D po- 
sition is within range. 

Note that for many key applications — landing 
guidance, mid-air traffic avoidance, radio altimctry, 
and so on — an attacfier being able to increase the 
measured distance is a critical safety problem. A 
collision-avoidance protocol must therefore cither re- 
quire at least three non-collinear nodes or use trans- 
mission security. 

Further analysis of the security of similar 
distance-bounding protocols can be found in [5] and 
[6]. 

3.7.2 Protocol 5: Active time-of-flight navi- 
gation (post-autenticated) 

It might be useful in some situations for nodes to 
determine distance without pre-arranging keys. In 
essence, we run the previous protocol without en- 
cryption, then authenticate the response afterwards. 
This loses authentication of interrogations; that could 
be restored with the pre-authentication method from 
Protocol 3, but then this protocol loses any advantage 
it might have over its pre-authenticated counterpart. 



Client sends: (Interrogation) 




Client's random string 


t 


Tiuiestami) 


Navaid sends: (Response) 


rc 


Client's random string 


r„ 


Navaid's random string 



Then the navaid sends the client a signed, public- 

key-encryptcd message containing r,., its identity, 
and cnxTvthing it kn(nv about its position and radia- 
tion i)attcrii when it sent its rcsjjonse; 



Navaid sends: (Authentication) 


P 


Navaid position at time t 


d 


Navaid antenna direction at t 


t 


Interrogation timestamp 


i 


Navaid identifier 


rc 


Client's random string 


r„ 


Navaid's random string 


Ski-) 


Signature of the above 



Since third parties can't infiuence or predict rc or 
r„, the signed message demonstrates that the navaid 
generated its response after it received the interroga- 
tion. 



3.8 Modulated signal content 

Description 

A navaid transmits an interrogation signal; the 



client responds immediately with either a reflection 
of the interrogation or some other data signal; the 
navaid then informs the client of its distance and/or 
azimuth/elevation angle through data or voice mes- 
sages. 

Examples 

Ground-controlled approach 
Security 

Securely locating clients works the same and has 
essentially the same security considerations as clients 
locating themselves; the remainder of the problem 
is just transmitting timestamped position messages. 
That can be done with any type of authentication, 
encryption, and transmission security. 

3.9 Other methods 

We omit discussion of acoustic and optical means, all 

of which except celestial navigation arc analogues of 
the radionavigation schemes treated here. There are 
probably other actual or potential radionavigation 
methods. Many properties of radio signals are not 
usable for navigation: Polarization is unsuitable be- 
cause it is altered by signals' interactions with me- 
dia and the superposition of multipath signals is not 
resolvable. Anisotropy in carrier frequency/phase is 
subject to multipath distortion and not readily mea- 
surable with simple antennae. Carrier phase alone 
only specifies distance inside a wavelength, leaving an 
integer ambiguity — though it is useful for refining an 
existing rough distance measurement; survey-grade 
GPS receivers use it that way. 

4 Combining navigation tech- 
niques 

Navigation is always a matter of combining measure- 
ments, and more authenticated measurements means 
more confidence about position and time. There are 
several ways to combine different measurement types 
that increase security: 

• The navaid transmissions in our first two pas- 
sive protocols are identical. A client using Pro- 
tocol 1 (passive direction-based navigation) can 
use the timestamps given in that protocol as 
another Protocol 2 time source, thus adding a 
level of meaconing resistance to both protocols. 
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• Active timing-based ranging by a client and 
navaid can be daisy-chained into three mes- 
sages. Each node calculates the range to the 
other and sends a signed, encrypted measure- 
ment of that range; if the ranges are different 
by more than the nodes could have moved dur- 
ing the delay, imperfect meaconing is strongly 
indicated. 

• The active timing and angle protocols can also 
be combined: either a client or a navaid sends 
out an interrogation, the other one responds 
immediately, and in the certificated exchange 
afterward the navaid informs the client of the 
direction that the client sent its message from. 

• A cleartext passive navigation system such as 

GPS can be combined with a small number of 
active-response or passive LPI-secure differen- 
tial positioning nodes to markedly improve se- 
curity against meaconing. 

5 Non-navigation protocols 
essential to aviation 

5.1 Controller-pilot communication 
links 

The most important factor in preventing mid-air col- 
lisions today is voice communication between air traf- 
fic controllers and pilots. Separation procedure and 
radar surveillance are useless without a channel for 
instructions, advisories, and questions. 

Intrusion on controller-pilot channels (probably in 
the form of false instructions to pilots) has possibly 
dire consequences if pilots have no other way to avoid 
collision. Imagine two aircraft approaching the same 
horizontal point with adequate vertical separation; an 
attacker jams the collision- avoidance channel, orders 
one of the aircraft to descend to the other's altitude, 
and immediately jams the controller-pilot connection. 

One inventive proposed solution[7] implements 
aircraft authentication and data transfer as a 
steganographic watermark imposed on the analog 
voice signal by airborne communication headsets. 
However, it appears to be insecure, and it fails to 
treat the crucial problem of ensuring that a transmis- 
sion is from an air traffic control facility and reason- 
ably current. Any secure voice protocol will need to 

i^TCAS does something like this, and the F-16 has upper axi 
mentation seems to be designed to adaptively detect and avoid 



use a digitized voice signal, strongly bind the voice 
content to a timestamped signature, and provide a 
key-agreement method. These are well-solved prob- 
lems. 

Simple jamming is still a serious vulnerability, 
though, because current procedures for coping with 
two-way radio communications failure[8] rely on lead- 
ing other traffic out of the unresponsive aircraft's 
path and landing that aircraft as soon as practicable. 
Thus, if aircraft avoided colliding, they would still be 
expected to terminate their flights at the nearest ap- 
propriate airport that they came into visual contact 
with, which would have an enormous economic im- 
pact on commercial airlines. Some form of anti-jam 
protection is certainly called for. 

One possible solution for non-aerobatic aviation, 

other than a dedicated secure spread-spectrum voice 
band, is establishing a text and geospatial-data mes- 
saging system that piggybacks on as many other air- 
craft communication and navigation systems as pos- 
sible, distributing low-bandwidth messages to every 
node assumed to be within line of sight of the desti- 
nation. An aircraft in receipt of a current authentic 
packet addressed to its area could also then attempt 
to forward the packet on a peer-to-peer basis. Mes- 
sages would include specific instructions to aircraft, 
general traffic advisories, weather and turbulence in- 
formation, cryptographic certificate revocations, and 
possibly other keying information. Messages from 
aircraft to controllers and other aircraft could also 
be forwarded, on a strict non-interference basis. 

Public-key cryptography is applicable to trans- 
mission security. Each node could have several rela- 
tively simple spread-spectrum transceivers and could 
use a key-agreement protocol to establish transmis- 
sion security keys with navaids, air traffic control fa- 
cilities, and peer aircraft via any other available node. 
Alternatively, generating transmission security keys 
could be part of filing a flight plan. Each landing- 
guidance installation could have a radio that toggled 
between the transmission security parameters for ex- 
pected inbound aircraft, and several radios that com- 
municated with the nearest few craft. 

Another simple way to decrease the impact of 
jammers on communication is equipping each aircraft 
with two antennae with hemispherical reception pat- 
terns, one pointed up and one down.^^ For aircraft 
with normal en-route attitudes, this prevents jam- 
mers above the aircraft (like balloons) from blocking 

d lower antennae for UHF voice and SADL, but neither imple- 
jamming. 
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signals from below (like landing-guidance transmit- 
ters) and vice versa, and is especially powerful when 
combined with the above peer-to-peer distribution 
network in the presenc;e of a mixture of ground-based, 
satellite, and airborne communication nodes. 

5.2 Identification protocols 

Civilian aircraft are identified by a 4-digit transpon- 
der code assigned on the fly by air traffic con- 
trollers and entered by pilots. The cockpit-selectable 
transponder ID system is a waste of pilot and con- 
troller time and a security risk. Aircraft should be 
identified by a globally unique code at all times; 
anonymity of general aviation flights can be preserved 
by encrypting transponder transmissions. The newer 
Mode S standard uses globally unique identiflers, but 
provides no anonymity and no protection against im- 
personation. 

Military aircraft in the USA and USA-allied na- 
tions use the Mark XII IFF protocol to identify air- 
borne objects. Mark XII is (weakly) cryptographi- 
cally authenticated but has no transmission security; 
it could easily be denied by jamming. Since lack of 
IFF response is sometimes taken to indicate a hostile 
aircraft, IFF jamming in a complex battlefield set- 
ting could lead to fratricide. Several friendly-fire in- 
cidents attributable in part to IFF malfunctions have 
happened in the last few years. [9] 

5.3 Position-reporting protocols 

The current paradigm in aviation protocols is ADS- 
B,^^ in which aircraft determine their position by 
some method (generally assumed to be GPS) and 
then broadcast their identification, location, and 
various other data. Traffic controllers and pilots 
can use the position reports to plan optimal routes 
while ensuring aircraft separation, which promises to 
markedly increase efficiency and ease psychological 
workloads, among a host of other beneflts. 

Of course this is only as secure and reliable as the 
positioning sources that it depends on. As for ADS- 
B itself, it should be trivially easy to add encrypted 
versions of the payload packets for clients who require 
anonymity to peers, a "key agreement" packet type to 
handle cryptographic setup, and a "digital signature" 
packet type that aggregates timestamped signatures 
for several recent packets. An additional packet type 
should be defined for airborne and ground nodes to 

Automatic Dependent Surveillance - Broadcast 



rc;port discrepancies between GPS position and en- 
vironmental observables, and between other nodes' 
stated and radar-measured positions. 

A potential concern with frequent automatic po- 
sition reporting is that it gives attackers a feedback 
channel into how their meaconing is affecting the tar- 
gets' notion of position. Also, the TIS-B protocol, 
which is part of the ADS-B suite, has ground radar 
facilities transmittting locations of aircraft as deter- 
mined from primary and secondary radar and ADS. 
While this is wonderful for safety, it also provides 
malicious users with an oracle into their radar de- 
tectability and the efficacy of ECM techniques, so its 
costs and benefits require careful consideration. 

5.4 Emergency rescue transponders 

Distress-beacon detection satellites (SARSAT/ 
GOSPAS) and rescue crews have limited capacity 
and no authentication system. An adversary who 
wanted to prevent downed aircraft from being lo- 
cated could do so quite easily by activating rogue 
emergency location transmitters (ELTs) in the gen- 
eral vicinity of the actual distressed craft, potentially 
with the same identification information as the legit- 
imate ELTs. Fake ELTs can be built cheaply. 

6 Certificate structure 

Navigation involves many changing security-related 
values and little spare bandwidth, so the sort of 
monolithic certificate used in most Internet protocols 
is not really appropriate. We suggest the use of a 
modular certificate format, with small certificates at- 
testing to a small set of facts, transmitted upon re- 
quest and/or broadcast periodically. All certificates 
should contain: 

• A set of assertions 

• The time range in which the assertions are valid 

• The identifier of the node about which asser- 
tions are being made 

• The public key of the certifier 

• A signature of a hash of the certificate 
Some common assertions are: 
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• Navigation-related information: Position, an- 
tenna pointing angle (as functions of time - for 
instance, Keplerian orbital elements for satel- 
lites) 

• Identifying information: Tail number, aircraft 

type and model 

• Cryptographic delegation information: Public 
keys of nodes 

• Information describing why someone should 
trust the node's public key: Key-holding de- 
vice manufacturer/model, cryptographic secu- 
rity type (unverified, remotely secure, tamper- 
resistant) [10], cryptographic verification au- 
thority, physical security level (unsecured, 
alarmed, sealed, supervised), owner, owner type 
(individual, airline, etc.) 

• Information that can help with non- 
cryptographic security verification: [11], [12] 
Platform type (surface, airborne, etc.), receiver 
sensitivity and transmitter power output (given 
as spherical functions of antenna pointing an- 
gle) 
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